Uvlio

Command Palette

Search for a command to run...

Back to articles
Technical Article

From docker run to Compose: What Each Flag Really Means

A docker run command is great for a quick test. It becomes fragile when copied into documentation, shared between teammates, or reused as a service definition. Docker Compose turns that one-line command into a reviewable configuration file. The conversion is not only syntax. Each flag carries an operational meaning: networking, storage, identity, restart behavior, configuration, and security.
Uvlio editorial team by limitcool2026-05-177 min read
Topic coverDeveloperdocker runcompose.yaml

From docker run to Compose: What Each Flag Really Means

A technical guide to translating docker run commands into Compose services while preserving ports, volumes, environment variables, restart rules, and secrets.

Guide subject preview
docker run -p 3000:3000 app
services: web:
ports: ["3000:3000"]
Tool stack
Docker Run to Compose
Reading focus
1Read flags
2Map service
3Validate config

Original workflow visual

From docker run to Compose: What Each Flag Really Means

This original Uvlio visual summarizes the practical path from input inspection to output review for this workflow.
1

Read flags

Review before moving forward

2

Map service

Review before moving forward

3

Validate config

Review before moving forward

Maintainer and review note
Maintained by limitcool. Use it to understand the technical model, processing boundaries, privacy risks, and verifiable behavior.
The image is only the start

The image name tells Docker what filesystem and default command to start from. It does not explain how the container should connect to the host, where data should persist, which environment variables are required, or what happens after a restart. Compose makes these decisions visible. A good service block should be readable enough that another person can tell what the container needs and what it exposes.

Port mappings have direction

A docker run flag such as -p 8080:80 maps host port 8080 to container port 80. Reversing that meaning is a common mistake. Compose expresses the same relationship under ports. Before copying a mapping, ask which port users or reverse proxies connect to and which port the application listens on inside the container. Avoid exposing ports publicly unless the service actually needs direct access.

Volumes decide what survives

Containers are disposable by design. Volumes and bind mounts decide which data survives recreation. A bind mount points at a host path; a named volume is managed by Docker. When translating from run to Compose, preserve the difference. Mounting the wrong host directory can hide files inside the image or write data somewhere unexpected. For databases and uploaded files, volume review is more important than syntax.

Environment variables can contain secrets

The -e flag is convenient, but copied commands often include passwords, tokens, or connection strings. Compose can move configuration into environment sections or env files, but that does not automatically make secrets safe. Do not commit real secrets to the repository. Use the project's existing secret handling, deployment environment, or secret manager. If you publish examples, use clear placeholders instead of realistic credentials.

Restart rules change failure behavior

A one-off docker run command may exit and stay stopped. A service often needs a restart policy. Compose lets you document whether a container should restart unless stopped, always restart, or remain manual. This is an operational decision, not a formatting detail. A crash-looping container with an aggressive restart policy can hide errors or create noise. Pair restart rules with logs and health checks when the service matters.

Not every flag maps cleanly

Some docker run flags translate directly. Others require Compose-specific keys, a different structure, or manual review. Interactive flags, device access, network modes, capabilities, user IDs, DNS settings, and platform constraints can carry security implications. A converter can produce a draft, but advanced flags should be reviewed against Docker and Compose documentation before production use.

A safe migration workflow

Start from a representative command with image, ports, volumes, environment variables, and restart behavior. Convert it into a service. Rename the service and volumes clearly. Remove secrets. Run a configuration validation command. Start locally if safe, inspect logs, and confirm the app writes data where expected. Then commit the Compose file with comments for any non-obvious flag. The goal is maintainable operations, not just a prettier command.

Common Questions

Can every docker run flag be converted automatically?

No. Many common flags map cleanly, but networking, devices, security options, and interactive behavior need manual review.

Should secrets go into docker-compose.yml?

Real secrets should not be committed. Use environment injection, secret managers, or the project's existing deployment mechanism.

Why use Compose for one service?

Compose documents ports, volumes, environment, restart policy, and service identity in a repeatable file.

What should I verify after converting a command?

Run a Compose config validation, then review the resolved service. Confirm the image, command, ports, volumes, environment variables, user, restart policy, and network match the original intention. If the command was copied from a README, check whether the defaults are appropriate for your host instead of preserving them blindly.

How should bind mounts be reviewed?

Check the host path, container path, read-only flag, ownership, backup expectations, and whether the mount hides files from the image. A wrong bind mount can make an application appear empty, write data outside the intended directory, or expose host files that the container should not see.

Why are container names often avoided in reusable Compose files?

Fixed container names can collide when multiple stacks run on the same host or when developers start copies locally. Service names and project names usually provide enough identity while allowing Compose to manage unique container names for each stack.

What belongs in comments?

Comment non-obvious ports, host paths, privileges, and restart choices. Do not comment secrets or temporary debugging values.